12. Security advisories¶
12.1. Locked Users¶
When a user is locked in the userstore this information is not passed to LinOTP, as each userstore uses other means to lock a user. I.e. if you lock a user in Active Directory LinOTP will still authenticate this user successfully, when he provides the correct OTP value. If you also need to lock the user in LinOTP, you may lock all tokens of this user to disable his access. See the LSE customer portal for a small howto configure locked users [1].
[1] | https://www.lsexperts.de/kundenportal.html |
12.2. UserIdResolver¶
The UserIdResolvers are used by the LinOTP Server to find the user object for a given loginname. The userstores are configured on the LinOTP Server. You can change this configuration with the LinOTP Management Client. Technically the client communicates with the LinOTP Server via HTTP and the URL path /system/getConfig and /system/setConfig. Although the data is stored encrypted in the database, in the current version the passwords for the LDAP Bind and the SQL user are transferred in plain text between the LinOTP Management Client and the LinOTP server. So assure, that
- you are using HTTPS,
- you are restricting access to the /system/ interface via the apache config
- you use an LDAP Bind that has only read access!